Hoping for some input on this from others running version 1.0.3 on Windows 7.

Only loaded the machine a month ago and installed the Windows installer for OpenAudit 1.0.3

Have discovered what appears to be a DoS on the machine. Huge amount of UDP traffic flooding outbound from the machine. Traced it back to thousands of httpd.exe processes opening and closing. Prior to finding this we scanned the machine for viruses and malware but it did not seem ti be the cause, which makes sense once I found httpd.exe being the source. The destination of this UDP traffic appears to be a new IP each time I close it down.

I have closed port 80 to the machine for now and restarted Apache which has stopped the traffic. I am waiting to see if this restarts on it own with HTTP closed to the web, or if something remote is triggering it.

Looking at Apache I see the version installed is 2.2.14 along with PHP 5.3.1 - both which seem to be extremely old builds so I am assuming there is an exploit here and I need to update at minimum Apache, perhaps PHP as well.

Any issues in doing this with Open-Audit, and if not, whats the best procedure? I was a bit concerned to find such old builds in the latest installer.

Old XAMPPLite is because they broke SNMP on newer versions.I need to check it (again) against the latest version of XAMPPLite and see if they have fixed it.

Are you running a Windows 7 machine (running Open-AudIT) that is visible from the internet?If so, please update to 1.2.1 as this has an issue with Apache proxy that has been addressed.

If you don't absolutely require Open-AudIT to be visible from the internet, I can't recommend enough to NOT expose it.If you really do need Open-AudIT visible from the internet, I would suggest some consulting service from me/Opmantek as to how to do this securely.

_________________Support and Development hours available from Opmantek.Please consider a purchase to help make Open-AudIT better for everyone.

I actually don't need snmp, so I can probably upgrade everything right up.

The only scans I do are from external organizations that deliver over the net. Have ran it this way for a year or so on a Linux server and been fine, but only recently moved to a windows 7 machine hen I installed the new build.

Should I move back to a Linux host? Or are you suggesting its the openaudit that shouldn't be open to the net.

I would move to Linux - but that's just me. It shouldn't matter either way, as long as you are running v1.2.1.

I would be careful about exposing Open-AudIT to the internet at large. If it was me, I would have the system_add page exposed on a separate web server and have the rest of the application sitting on another server that is not exposed. How to actually do that I'll leave to you or you can engage Opmantek for some consulting hours - that's what we're here for

_________________Support and Development hours available from Opmantek.Please consider a purchase to help make Open-AudIT better for everyone.

Who is online

Users browsing this forum: No registered users and 3 guests

You cannot post new topics in this forumYou cannot reply to topics in this forumYou cannot edit your posts in this forumYou cannot delete your posts in this forumYou cannot post attachments in this forum